LUKS2 dm-crypt cryptsetup - Opal SSD Hardware Encryption

Hi everyone! After I read this:, I’m trying to figure out how can I know, if in the Fedora Installation, with the encryption box enabled, I get this new features. I’m currently running Fedora, but before intalling it, I followed this guide, enabling the hardware encryption only.

The article shows this :

--hw-opal can be specified for OPAL + dm-crypt, and
--hw-opal-only can be specified to use OPAL only, without a dm-crypt layer."

Anaconda does not even have the ability to modify the luks --cipher --keysize --hash during the installation nor the advanced installer blivet-gui.

You could create the luks container before you do the install then open the container during the install, or possibly in a kickstart file configuration.

1 Like

Thank you for the better explanation! :smiley:
Talking about the way you mentioned, were the container is created/opened before the installation of Fedora workstation (setup GUI): I have doubt, because the interface show me the partitioning step, where I remember, it isn’t possible to end it, without a clean partition. Maybe, am I wrong about it?

You can just re-use existing partitions during an install (select don’t format for the particular partition.)

Make sure you have working backups! This is a pretty new feature and one nasty bug can easily lock you out. Developers claim that it is in an experimental stage.

Also, you need Fedora40 to get cryptsetup 2.7.x


Oh! great!
About the updated version of cryptsetup, I don’t think it could be a problem, because using the live environment of the Fedora Workstation, I was always be able to install packages with dnf.

I’ll try it out as soon as possible and I post the results here.
Many thanks to all of you guys! :smiley:

1 Like

Note that the updated package won’t be available on the installed system – with LiveCD the live image is basically copied to the installed system, without any changes you made when running the live system – so you’ll end up with system that wouldn’t boot, because it still has the old version of cryptsetup that doesn’t support OPAL.

1 Like

I didn’t think about that! do you think could be a solution this next one?
after the installation process, before the restart: start a terminal, mount the encrypted partition (LUKS+SED) where the new OS is installed (the live already have cryptsetup manually update), chroot on the new system and then update the cryptsetup on the new system.

You could use the netinstall image, which pulls the latest packages from Fedora repos, so you end up with an up-to-date system.


Added cryptsetup